3A Vendors Becoming Identity Management Houses

Driven by privacy and reporting regulations, security 3A (authentication, authorization and administration) vendors are racing to offer corporate customers a new line of more complete security management solutions called, broadly, identity management, according to a new report from IDC.

At the heart of this change are three pieces of federal legislation passed over the past few years to ensure the privacy, validity, and accountability of information held by corporations nationwide: Sarbanes-Oxley (SOX), which came about this year in the wake of the Enron and Arthur Anderson debacles; the Health Insurance Portability and Accountability Act (HIPAA), which calls for stringent privacy standards around the electronic exchange of patient information; and the Gramm-Leach-Bliley Act (GLB), which protects consumer's financial information.

All call for tight controls over the use and reporting of financial and consumer information, and who has access to that information, said Brian Burke, research manager of IDC's Security Products program and one of the report's authors.

"(Businesses) are becoming legally bound to purchase security technology to support those regulations," he said. "It's forcing them to adopt minimum security standards that, in many cases, aren't in place right now, so it's forcing the purchase of some of these security technologies."

What this means for CIOs taxed with ensuring their organizations live up to these regulations are additional layers of reporting and tracking. But, according to IDC, help is on the way. IBM and Computer Associates have the best-defined identity management practices, but a slew of merger and acquisition activity in the 3A space indicates other companies are quickly following in their footsteps in order to capture a piece of what may prove to be a very lucrative, regulations-driven marketplace.

By 2007, IDC estimates, the identity management market will be worth $4 billion. Today, that market is just south of $600 million.

An additional driver is the need to reduce the complexity of the patchwork of solutions many companies have in place today, Burke said.

"All these different security products from all these different vendors and none of them work well together with one another," Burke said. "So, these security management vendors are coming out with management consoles that can manage various security technologies from a single console."

Identity management not only covers security 3A, but also things like legacy authorization, directories, public key infrastructure (PKI), hardware authentication, and passwords.

The sweet spot for these vendors will probably be mid-size organizations with limited IT resources, said Burke. Enterprise-class IT departments with available staff to handle the additional work-load will most likely take a best of breed approach, he said.